5.10-stable patches

added patches:
	spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index d26697f21b3efd5ffa5de40fcabe29566dfaf5be..cb4b4b1e4b11113df92e349a309a5b268d5e1908 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -74,3 +74,4 @@ tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch
 tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch
 tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch
 tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch
+spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch

diff --git a/queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch b/queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch
new file mode 100644 (file)
index 0000000..3234db1
--- /dev/null
+++ b/queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch
@@ -0,0 +1,49 @@
+From 4ceaa684459d414992acbefb4e4c31f2dfc50641 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 19 Jul 2022 09:22:35 +0200
+Subject: spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 4ceaa684459d414992acbefb4e4c31f2dfc50641 upstream.
+
+In case a IRQ based transfer times out the bcm2835_spi_handle_err()
+function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop
+dma_pending flag") the TX and RX DMA transfers are unconditionally
+canceled, leading to NULL pointer derefs if ctlr->dma_tx or
+ctlr->dma_rx are not set.
+
+Fix the NULL pointer deref by checking that ctlr->dma_tx and
+ctlr->dma_rx are valid pointers before accessing them.
+
+Fixes: 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag")
+Cc: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://lore.kernel.org/r/20220719072234.2782764-1-mkl@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -1174,10 +1174,14 @@ static void bcm2835_spi_handle_err(struc
+       struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr);
+ 
+       /* if an error occurred and we have an active dma, then terminate */
+-      dmaengine_terminate_sync(ctlr->dma_tx);
+-      bs->tx_dma_active = false;
+-      dmaengine_terminate_sync(ctlr->dma_rx);
+-      bs->rx_dma_active = false;
++      if (ctlr->dma_tx) {
++              dmaengine_terminate_sync(ctlr->dma_tx);
++              bs->tx_dma_active = false;
++      }
++      if (ctlr->dma_rx) {
++              dmaengine_terminate_sync(ctlr->dma_rx);
++              bs->rx_dma_active = false;
++      }
+       bcm2835_spi_undo_prologue(bs);
+ 
+       /* and reset */